I am developing a backend for my site and I have put all of my forms for doing sql queries in includes/formsMy index & edit pages e.t.c. require login using the following code:

if(!$session->logged_in)
{
header('Location: login.php');
die;
}

However, I can't put this code in my forms because it will throw an error for re-declaration, so I just put a .htaccess in the includes directory with deny from all.So far, its doing exactly what I want, the forms include in my pages & everything works and if I use my browser to navigate to the includes/forms directory or any of the files inside it, I get a forbidden message. Great!

Is this a common way to protect such files, or might this lead to any problems that I haven't thought of?

afaik: if you use user/pw on that folder, ppl will be asked to login - even if the including page is NOT protected..if you simply do something like*.php deny all, it "should" work..but I speak from memory - not tested recently..

regardssimpeligent

Edited:if you want to use your qoted code, you need to buffer the output

on top of page make ob_start()on bottom ob_end()

afaik you can redirect between those cpmmands with header..you can even start a session in between because no output-stream is opened until the ob_end() or ob_flush()

Ok thanks, I'm not sure how to password protect the directory itself with php, I only know how to protect the file.

I used straight deny all with .htaccess, no access to anything in that folder and my pages still include the files ok. I just tried to remotely include the form and that doesn't work, so it seems pretty secure, but I guess maybe I should look up how to protect directories with the same login.

no better not - for the include purpose, the password is the "no go"..why it works with deny all and not with pw is that user/pw is I guess because it's a http action - after the output stream was opened - the "deny all" obviousely also applies to http-type access to this folder..php-including happens - so to speak - on a layer above - so it is not affected by htaccess-rulesI guess we could say it that way: Apache reads the htaccess - not php!

the password user thing was just a problem I encountered once in the past, so I wanted to inform you about that possible problem